Impact of `encoding/xml` vulns

Question

Impact of `encoding/xml` vulns

licaon-kter opened this issue 4 years ago · 4 comments

Ref: https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/

Answer 1 · 2020-12-15T15:31:58.000Z

FYI

https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-attributes.md
https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-directives.md
https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-elements.md

Answer 2 · 2021-09-10T17:19:39.000Z

Sorry, but I think I'm missing some context here. How these vulnerabilities are supposed to affect the project?

Answer 3 · 2021-09-10T17:36:40.000Z

It affects go stuff that processes xml, jackal does this, maybe it's too.

It's more a heads-up, you'd need to analyze if your useage is impacted or not.

Answer 4 · 2022-09-14T13:36:21.000Z

If there is no security concern related to the ordering of attributes and elements, I don't believe these types of vulnerabilities affect the project. Basically, there is no way to ensure deterministic ordering between a struct and xml doc through round trips. There are third party libraries which may be discussed in that blog post, if I recall, which can help this, but my guess is that this is not necessary unless you have some of the same concerns as projects like SAML which I believe is where this was identified as an issue.